├── Invoke-NewX509Cert.ps1 ├── LICENSE ├── README.md ├── SSL_PowerClient.ps1 ├── SSL_PowerListener.ps1 ├── computer-icon.ico ├── computer_color.ico └── invoke-vt.ps1 /Invoke-NewX509Cert.ps1: -------------------------------------------------------------------------------- 1 | # reference: 2 | # awesome work by Jesse Davis @secabstractiom 3 | # https://github.com/secabstraction/PowerCat/blob/master/Functions/Helpers/New-X509Certificate.ps1 4 | function New-X509Certificate 5 | { 6 | Param ( 7 | [Parameter(Position = 0, Mandatory = $true)] 8 | [ValidateNotNullOrEmpty()] 9 | [String]$CommonName, 10 | [Parameter(Mandatory=$true)] 11 | [ValidateSet("1.3.6.1.5.5.7.3.1","1.3.6.1.5.5.7.3.2")] 12 | [ValidateNotNullOrEmpty()] 13 | [String]$EKValue 14 | ) 15 | 16 | ###############INITIALIZE THE DESIRED SUBJECT NAME IN THE CERTIFICATE###################################### 17 | $DN = New-Object -ComObject 'X509Enrollment.CX500DistinguishedName.1' 18 | <## 19 | >The 'Encode' method initializes the object from a string that contains a distinguished name. 20 | >First param: A basic String (BSTR) variable that contains the string to encode 21 | >Second param: An X500NameFlags enumeration value that specifies the format of the 22 | >encoded value.X509Enrollment.CX500DistinguishedName exposes all the various encoding options available 23 | 24 | - XCN_CERT_NAME_STR_NONE = 0 25 | +Display characteristics are not identified 26 | >If the function succeeds, the function returns S_OK 27 | ##> 28 | $DN.Encode("CN=$CommonName", 0) 29 | 30 | ###############CREATES THE SUBJECT'S PRIVATE KEY############################################################ 31 | <## 32 | The IX509PrivateKey interface represents an asymmetric private key that can be used for encryption, 33 | signing and key agreement. 34 | 35 | ##> 36 | $PrivateKey = New-Object -ComObject 'X509Enrollment.CX509PrivateKey.1' 37 | $PrivateKey.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" #Cryptographic provider 38 | 39 | <## 40 | >KeySpec = Specifies whether a PK can be used for (signing or Encryption or both) 41 | - XCN_AT_NONE = 0 42 | +It is set if the provider that supports the key is a Cryptography API: Next Generation (CNG) 43 | -XCN_AT_KEYEXCHANGE = 1 44 | +The Key can be used to encrypt (including Key Exchange) or sign depending on the Algorithm. 45 | +For RSA Algorithms, if this value is set, the Key can be used for both signing and Encryption 46 | +For other Alrgorithms, signing may not be supported. 47 | -XCN_AT_SIGNATURE = 2 48 | +The key can be used for signing 49 | ##> 50 | $PrivateKey.KeySpec = 1 #XCN_AT_KEYEXCHANGE 51 | 52 | <## 53 | >The 'ExportPolicy' property specifies or retrieves export constraints for a private key 54 | >This property is web enabled for both input and output 55 | >The property is read and Write 56 | 57 | -X509PrivateKeyExportFlags values to specify the export policy for private Key 58 | +XCN_NCRYPT_ALLOW_EXPORT_NONE = 0 /Export is not allowed. This is the default value 59 | +XCN_NCRYPT_ALLOW_EXPORT_FLAG = 1 /The private key can be exported 60 | +XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG = 2 /The private key can be exported in plain text 61 | +XCN_NCRYPT_ALLOW_ARCHIVING_FLAG = 4 /The private key can be exported once for archiving 62 | +XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG = 8 /Private key can be exported once in plain Text for archiving 63 | 64 | ##> 65 | $PrivateKey.ExportPolicy = 2 # XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG 66 | 67 | <## 68 | >The Machine Context property specifies or retrieves a Boolean value (true or false) that identifies 69 | the local certificate store context.This property is web enabled for both input and output 70 | >A VARIANT_BOOL variable that identifies the certificate store context 71 | - $TRUE = for the computer 72 | - $FALSE = for the user 73 | ##> 74 | $PrivateKey.MachineContext = $true 75 | 76 | $PrivateKey.Length = 2048 #Specifies or retrieves the length, in bits, of the private key 77 | $PrivateKey.Create() #The create method creats an asymmetric Private Key 78 | 79 | ###############USE THE IOBJECTID INTERFACE which REPRESENTS AN OBJECT IDENTIFIER(OID)############################## 80 | $HashAlg = New-Object -ComObject 'X509Enrollment.CObjectId.1' 81 | 82 | <## 83 | >The InitializeFromAlgorithmName method initializes the object from an algorithm or an object identifier. 84 | 85 | -ObjectIDGroupId = Specifies the OID Group to search 86 | +XCN_CRYPT_ANY_GROUP_ID = 0 87 | +XCN_CRYPT_HASH_ALG_OID_GROUP_ID = 1, 88 | +XCN_CRYPT_ENCRYPT_ALG_OID_GROUP_ID = 2, 89 | +XCN_CRYPT_PUBKEY_ALG_OID_GROUP_ID = 3, 90 | +XCN_CRYPT_SIGN_ALG_OID_GROUP_ID = 4, 91 | +XCN_CRYPT_RDN_ATTR_OID_GROUP_ID = 5, 92 | +XCN_CRYPT_EXT_OR_ATTR_OID_GROUP_ID = 6, 93 | +XCN_CRYPT_ENHKEY_USAGE_OID_GROUP_ID = 7, 94 | +XCN_CRYPT_POLICY_OID_GROUP_ID = 8, 95 | +XCN_CRYPT_TEMPLATE_OID_GROUP_ID = 9, 96 | +XCN_CRYPT_LAST_OID_GROUP_ID = 9, 97 | +XCN_CRYPT_FIRST_ALG_OID_GROUP_ID = 1, 98 | +XCN_CRYPT_LAST_ALG_OID_GROUP_ID = 4, 99 | +XCN_CRYPT_OID_DISABLE_SEARCH_DS_FLAG = 0x80000000, 100 | +XCN_CRYPT_KEY_LENGTH_MASK = 0xffff0000 101 | 102 | -ObjectIdPublicKeyFlags = Enumeration value that specifies whether to search for signing or an encryptionalgorithm 103 | +XCN_CRYPT_OID_INFO_PUBKEY_ANY = 0, /Agorithm can be used for signing or encryption 104 | +XCN_CRYPT_OID_INFO_PUBKEY_SIGN_KEY_FLAG = 0x80000000, /Algorithm used for signing 105 | +XCN_CRYPT_OID_INFO_PUBKEY_ENCRYPT_KEY_FLAG = 0x40000000 /Algorithm is used for encryption 106 | 107 | -AlgorithmFlags = Enumeration values to redefine the search for a cryptographic algorithm 108 | +AlgorithmFlagsNone = 0x00000000, /no flags are specified 109 | +AlgorithmFlagsWrap = 0x00000001 /Algorithm is used for key wrapping. 110 | 111 | -strAlgorithName = a BSTR variable that contains the name. CNG Algorithm Names 112 | + 'SHA512' = the 512-bit secure hash algorithm 113 | ##> 114 | $HashAlg.InitializeFromAlgorithmName(1, 0, 0, 'SHA512') 115 | 116 | <## 117 | >InitializeMethodFromValue method initializes the object from a string that contains a dotted decimal OID 118 | >1.3.6.1.5.5.7.3.1 = Indicates that the certificate can be used as an SSL Server Certificate 119 | >1.3.6.1.5.5.7.3.2 = Indicates that the certificate can be used as an SSL Client Certificate 120 | >All Certificate content is encoded using Abstract Syntax Notation 1 Distinguished Encoding Rules (ASN.1.DER) 121 | >$ServerAuthoid stores the ODI value which will be encoded later 122 | ##> 123 | $ServerAuthOid = New-Object -ComObject 'X509Enrollment.CObjectId.1' 124 | $ServerAuthOid.InitializeFromValue($EKValue) 125 | 126 | <## 127 | >X509Enrollment.CObjectIds.1 allows you to deine methods and properties that enable you to manage a 128 | collection of IObjectID Objects 129 | >X509Enrollment.CX509ExtensionEnhancedKeyUsage.1 used to define a collection of OIDs that identify the 130 | intended uses of the public key contained in the certificate. 131 | >The InitializeEncode method enables you to construct a Distinguished Encoding Rules 132 | (DER) encoded Abstract Syntax Notation One (ASN.1) extension object from raw data ( 133 | >InitializeEncode initializes the extension from a collection of OIDs that specify the intended uses 134 | of the public Key 135 | ##> 136 | $EkuOid = New-Object -ComObject 'X509Enrollment.CObjectIds.1' 137 | $EkuOid.Add($ServerAuthOid) #Points to the ObjectId value set before by $serverAuthoid 138 | $EkuExtension = New-Object -ComObject 'X509Enrollment.CX509ExtensionEnhancedKeyUsage.1' 139 | $EkuExtension.InitializeEncode($EkuOid) # 140 | 141 | ################SIGN AND ENCODE A CERTIFICATE##################################################################### 142 | <## 143 | >The IX509CertificateRequestCertificate interface represents a request object for a self-generated 144 | certificate, enabling you to create a certificate directly without going through a registration or 145 | certification authority. 146 | 147 | -InitializeFromPrivateKey = Initializes the certificate request using the $privatekey already 148 | created before. It uses an IX509PriavteKey object and optionally a template. 149 | +X509CertificateEnrollmentContext = Enumeration value requested 150 | *ContextUser=0x1, /The certificate is being requested for an end user 151 | *ContextMachine=0x2, /The certificate is intended for a computer. 152 | *ContextAdministratorForceMachine=0x3 /The certificate is being requested by an administrator acting on the behalf of a computer. 153 | +PrivateKey = Pointer to the IX509PrivateKey interface that represents the private key = $PrivateKey 154 | +TemplateName = a BSTR variable that contains the Common Name (CN) of the template as it appears 155 | in active direcoty or the dotted decimal object identifier. 156 | 157 | - X509Extensions = Interface that defines methods and properties to manage a collection of IX509 extensions 158 | +Add = Adds an IX509Extension object to the collection = $EKUExtension 159 | - Hashalgorithm = Specifies and retrieves the OID of the hash algorithm used to sign the cert request 160 | - Encode = Signs and encodes a Certificate request and creates a key pair if one does not exist. 161 | The request is encoded by using Distinguished Encoding Rules (DER) as defined by the ASN.1 162 | The encoding process creates a byte array. 163 | 164 | >For a PKCS #10 request, this method: 165 | -Updates the private key or creates the key if necessary. 166 | -Populates the public key from the private key. 167 | -Updates the extensions, adding any default extensions and taking account of the suppressed 168 | OID collection and critical extension OID collection. 169 | -Updates the attributes, adding default attributes and taking account of the suppressed OID collection. 170 | -Assembles and encodes the unsigned updated request. 171 | -Creates and encodes a signature. 172 | -Encodes the signature and the unsigned request. 173 | ##> 174 | $Certificate = New-Object -ComObject 'X509Enrollment.CX509CertificateRequestCertificate.1' 175 | $Certificate.InitializeFromPrivateKey(2, $PrivateKey, '') 176 | $Certificate.Subject = $DN 177 | $Certificate.Issuer = $Certificate.Subject 178 | $Certificate.NotBefore = [DateTime]::Now.AddDays(-1) 179 | $Certificate.NotAfter = $Certificate.NotBefore.AddDays(90) 180 | $Certificate.X509Extensions.Add($EkuExtension) 181 | $Certificate.HashAlgorithm = $HashAlg 182 | $Certificate.Encode() 183 | 184 | ################ENROLL IN A CERTIFICATE HIERARCHY AND INSTALL A CERTIFICATE RESPONSE############################ 185 | <## 186 | >The IX509Enrollment interface represents the top level object and enables you to enroll in a cert and 187 | install a certificate response. 188 | 189 | -CreateRequest() 190 | This method calls the Encode Method to encode the raw data from the associated request object 191 | It uses the information provided during initialization and other properties that have been specified 192 | Creates a dummy certificate and places it in the request store. 193 | Before calling this method, one must initialize the IX509Enrollment object (Initializefromrequest) 194 | +EncodingTye = Enumeration value that specifies the type of unicode encoding applied to the 195 | DER-encoded request. The default value is XCN_CRYPT_STRING_BASE64 196 | *XCN_CRYPT_STRING_BASE64HEADER = 0, 197 | *XCN_CRYPT_STRING_BASE64 = 0x1, 198 | *XCN_CRYPT_STRING_BINARY = 0x2, 199 | *XCN_CRYPT_STRING_BASE64REQUESTHEADER = 0x3, 200 | *XCN_CRYPT_STRING_HEX = 0x4, 201 | *XCN_CRYPT_STRING_HEXASCII = 0x5, 202 | *XCN_CRYPT_STRING_BASE64_ANY = 0x6, 203 | *XCN_CRYPT_STRING_ANY = 0x7, 204 | *XCN_CRYPT_STRING_HEX_ANY = 0x8, 205 | *XCN_CRYPT_STRING_BASE64X509CRLHEADER = 0x9, 206 | *XCN_CRYPT_STRING_HEXADDR = 0xa, 207 | *XCN_CRYPT_STRING_HEXASCIIADDR = 0xb, 208 | *XCN_CRYPT_STRING_HEXRAW = 0xc, 209 | *XCN_CRYPT_STRING_NOCRLF = 0x40000000, 210 | *XCN_CRYPT_STRING_NOCR = 0x80000000 211 | +pValue = Pointer to a BSTR variable that contains the DER-encoded request. 212 | In this case in powershell, we are using the $Enroll variable with contains the DER enconded request 213 | It is already being used since it is calling the CreateRequest method 214 | 215 | -InstallResponse() 216 | Installs a certificate chain on the end-entity computer. 217 | +Restrictions (enumeration value) 218 | Specifies the type of certificate that can be installed. 219 | *AllowNone = 0x00000000, /Does not allow the installation of untrusted certificates or certificates for which there is no corresponding request. 220 | *AllowNoOutstandingRequest = 0x00000001, /Creates the private key from the certificate response rather than from the dummy certificate 221 | This makes the dummy certificate options. If this value is not set, the dummy certificate must exist and the private key is extracted from it. 222 | *AllowUntrustedCertificate = 0x00000002, /Installs untrusted end entity and certification authority certificates. 223 | CA certificates include root and subordinate certification authority certificates. 224 | Entity certificates are installed to the personal store, and certification authority certificates are installed to the certification store. 225 | *AllowUntrustedRoot = 0x00000004 / Performs the same action as the AllowUntrustedCertificate flag but also install the certificate even if the 226 | certificate chain cannot be built because the root is not trusted. 227 | +Response = A BSTR variable that contains the DER-Encoded response 228 | in this case is the $CSR since the request started with $Enroll back in CreateRequest(). 229 | Remember in here we are using the DER-encoded Response and not the request. 230 | +Encoding = An EncodingType Enumeration value that specifies the type of encoding applied to the string. 231 | EncodingTpe was shown above and in this case, the script is choosing Enumeration Value 1 since it was encoded by the type of unicode encoding Base64 232 | +Password = Optional password for the Certificate installation. This can be NULL or an empy string 233 | It there is a password, clear it from memory when you have finished. 234 | 235 | -CreatePFX 236 | This method creates a Personal Information Exchange(PFX) message. 237 | The message is contained in a byte array that is encoded by using DER as defined by ASN.1 standard 238 | The DER-encoded byte array is represented by a string that is either a pure binary sequence or is Unicode encoded. 239 | +Password = A BSTR variable that contains a password for the PFX Message. 240 | This can be NULL to indicate that no password is isued. 241 | +ExportOptions = Expects an Enumeration Value that specifies how much of the certificate chain is exported. 242 | You can export the certificate only, the certificate chain without the root, or the entire chain. 243 | *PFXExportEEOnly = 0, / includes only the end entity certificate 244 | *PFXExportChainNoRoot = 1, / Includes the certificate chain without the root CA certificate 245 | *PFXExportChainWithRoot = 2 /Includes the entire certificate chain. 246 | +Encoding = expects an enumeration value. By default this is XCN_CRYPT_STRING_BASE64. which is 1 247 | +pValue = Pointer to a BSTR variable that contains the DER-Encoded PFX Message 248 | In this case the last $Enroll 249 | 250 | The PFX format is also known as PKCS #12. The CreatePFX method: 251 | +Opens the certificate store in memory for the default provider. 252 | +Adds the installed certificate to the store or builds the certificate chain adds a link to it. 253 | +Exports the certificate and the private key to a PFX message depending on the export options specified. 254 | +Encodes the exported message by using DER. 255 | ##> 256 | $Enroll = New-Object -ComObject 'X509Enrollment.CX509Enrollment.1' 257 | $Enroll.InitializeFromRequest($Certificate) #Initialize the enrollment object from an exisiting IX509CertificateRequest Object 258 | $Enroll.CertificateFriendlyName = $CommonName #Sets the display name of the certificate 259 | $Csr = $Enroll.CreateRequest() 260 | $Enroll.InstallResponse(2, $Csr, 1, '') 261 | $Base64 = $Enroll.CreatePFX('', 0) 262 | $file = "$CommonName"+".txt" 263 | $base64 | out-file $file 264 | 265 | ####################INITIALIZE A NEW INSTANCE OF THE X509CERTIFICATE2 CLASS USING A BYTE ARRAY AND A PASSWORD########### 266 | <## 267 | the X509Certificate2 class is used with the PKCS12(PFX) files that contain the certificate's private Key. 268 | Calling the constructor with the correct password decrypts the private key and saves it to a container. 269 | -rawData = A Byte array tat contains data from an X509 Certificate 270 | -Password = Type System.Secure.String. The password required to access the X509 certificate data 271 | ##> 272 | #$Bytes = [Convert]::FromBase64String($Base64) #Gets the Certtificate and decodes it 273 | #$X509Cert = New-Object Security.Cryptography.X509Certificates.X509Certificate2($Bytes, '') 274 | 275 | #return $X509Cert 276 | } 277 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2017, VVard0g 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CyberWardogLab 2 | A few scripts I put together for testing purposes and to automate a few capabilities while doing IR. These scripts are also part of my blog https://cyberwardog.blogspot.com/ 3 | -------------------------------------------------------------------------------- /SSL_PowerClient.ps1: -------------------------------------------------------------------------------- 1 | function Power-Client 2 | { 3 | [CmdletBinding()] 4 | Param ( 5 | [Parameter()] 6 | [Alias('c')] 7 | [string]$RemoteComputer, 8 | 9 | [Parameter()] 10 | [Alias('p')] 11 | [int]$port 12 | ) 13 | 14 | function send-file 15 | { 16 | [CmdletBinding()] 17 | Param ( 18 | [Parameter()] 19 | [string]$local, 20 | 21 | [Parameter()] 22 | [string]$remote 23 | ) 24 | 25 | $FileStream = New-Object IO.FileStream @($local, [IO.FileMode]::Open) 26 | 27 | Write-host "`n[***]Attempting to send " $local "to" $destination -ForegroundColor Cyan 28 | Write-Verbose "[***] Local file exists.." 29 | Write-Verbose "[***] sending file.." 30 | 31 | $SslStream.Write($sendback, 0, $sendback.Length) 32 | $SslStream.Flush() 33 | 34 | $destination = ("\\" + $serverip.IPAddressToString + "\" + $remote) 35 | 36 | if ($BytesLeft = $FileStream.Length) { 37 | 38 | $FileOffset = 0 39 | if ($BytesLeft -gt 4608) { # Max packet size for Ncat 40 | 41 | $BytesToSend = New-Object Byte[] 4608 42 | 43 | while ($BytesLeft -gt 4608) { 44 | [void]$FileStream.Seek($FileOffset, [IO.SeekOrigin]::Begin) 45 | [void]$FileStream.Read($BytesToSend, 0, 4608) 46 | 47 | $FileOffset += 4608 48 | $BytesLeft -= 4608 49 | $SslStream.Write($BytesToSend, 0, $BytesToSend.Length) 50 | } 51 | 52 | # Send last packet 53 | $BytesToSend = New-Object Byte[] $BytesLeft 54 | [void]$FileStream.Seek($FileOffset, [IO.SeekOrigin]::Begin) 55 | [void]$FileStream.Read($BytesToSend, 0, $BytesLeft) 56 | 57 | $SslStream.Write($BytesToSend, 0, $BytesToSend.Length) 58 | } 59 | else { # Only need to send one packet 60 | $BytesToSend = New-Object Byte[] $BytesLeft 61 | [void]$FileStream.Seek($FileOffset, [IO.SeekOrigin]::Begin) 62 | [void]$FileStream.Read($BytesToSend, 0, $BytesLeft) 63 | 64 | $SslStream.Write($BytesToSend, 0, $BytesToSend.Length) 65 | } 66 | write-verbose "[***] Done sending bytes.." 67 | $FileStream.Flush() 68 | $FileStream.close() 69 | $FileStream.Dispose() 70 | 71 | write-host ("`nFile " + $local + " was sent successfully to " + $destination) -ForegroundColor Cyan 72 | 73 | if ($local -match ".zip"){ 74 | write-host ("`n[***]Unzipping " + $destination + " Please Wait!") -ForegroundColor Cyan 75 | } 76 | } 77 | } 78 | 79 | function Receive-file 80 | { 81 | [CmdletBinding()] 82 | Param ( 83 | [Parameter()] 84 | [string]$local, 85 | 86 | [Parameter()] 87 | [string]$remote 88 | ) 89 | 90 | if (Test-Path $local){remove-item $local -Force} 91 | else {write-verbose "Local file does not exist. Creating a new one..."} 92 | 93 | $FileStream = New-Object IO.FileStream @($local, [IO.FileMode]::Append) 94 | $BytesToReceive = New-Object Byte[] 4608 95 | 96 | while ($true) 97 | { 98 | $Fileread = $SslStream.Read($BytesToReceive, 0, $BytesToReceive.Length) 99 | 100 | if($Fileread -eq 0){break} 101 | else{ 102 | [Array]$Filebytesreceived = $BytesToReceive[0..($Fileread -1)] 103 | [Array]::Clear($BytesToReceive, 0, $Fileread) 104 | } 105 | 106 | if ($Fileread -eq 4608) {$FileStream.Write($Filebytesreceived, 0, $Filebytesreceived.Length); continue} 107 | else{ 108 | $FileStream.Write($Filebytesreceived, 0, $Filebytesreceived.Length) 109 | $FileStream.Flush() 110 | $FileStream.Dispose() 111 | break 112 | } 113 | $FileStream.Flush() 114 | $FileStream.Dispose() 115 | break 116 | } 117 | Write-Verbose "[***] $remote has been retrieved succesfully" 118 | get-item $local 119 | } 120 | 121 | function invoke-space 122 | { 123 | $sendback = $EncodingType.GetBytes(' ') 124 | $SslStream.Write($sendback, 0, $sendback.Length) 125 | $SslStream.Flush() 126 | } 127 | 128 | $Tcpclient = New-Object System.Net.Sockets.TcpClient 129 | $Tcpclient.Connect($RemoteComputer, $port) 130 | $serverip = [System.Net.IPAddress]::Parse($RemoteComputer) 131 | 132 | if($TCPClient.Connected){ 133 | Write-Verbose "[***]Connection to $($serverip.IPAddressToString):$port [TCP] succeeded!" 134 | } 135 | else{ 136 | Write-Verbose "[!!!]Connection to $($serverip.IPAddressToString):$port [TCP] Failed!" $($_.Exception.Message) 137 | } 138 | 139 | $TcpNetworkstream = $Tcpclient.GetStream() 140 | $Receivebuffer = New-Object Byte[] $TcpClient.ReceiveBufferSize 141 | $EncodingType = New-Object System.Text.ASCIIEncoding 142 | 143 | $SslStream = New-object System.Net.Security.SslStream ($TcpNetworkStream, $false, { param($Sender, $Cert, $Chain, $Policy) return $true}) 144 | 145 | #$SslStream.AuthenticateAsClient("Wardog",$null,[System.Security.Authentication.SslProtocols]::Tls, $null) 146 | $SslStream.AuthenticateAsClient("Wardog",$null,[System.Security.Authentication.SslProtocols]::Tls12, $null) 147 | 148 | Write-Verbose "SSLStream Encrypted: $($SslStream.IsEncrypted)" 149 | Write-Verbose "SSLStream Signed: $($SslStream.IsSigned)" 150 | 151 | try { 152 | while ($TCPClient.Connected){ 153 | $Bytesreceived = $null 154 | $Read = $SslStream.Read($Receivebuffer, 0,$Receivebuffer.Length) 155 | 156 | if($Read -eq 0){break} 157 | else{ 158 | [Array]$Bytesreceived += $Receivebuffer[0..($Read -1)] 159 | [Array]::Clear($Receivebuffer, 0, $Read) 160 | } 161 | 162 | if ($TcpNetworkStream.DataAvailable) {continue} 163 | else { 164 | write-host -NoNewline $EncodingType.GetString($Bytesreceived).TrimEnd("`r") 165 | 166 | $sendback = $EncodingType.GetBytes((read-host) + "`n") 167 | 168 | $ScriptBlock = $null 169 | $ScriptBlock = [scriptblock]::Create($EncodingType.GetString($sendback)) 170 | 171 | if ($Scriptblock -match "send-file"){ 172 | try {Invoke-command -ScriptBlock $Scriptblock} 173 | catch {Write-Warning $_.Exception.Message; invoke-space} 174 | 175 | } 176 | elseif($ScriptBlock -match "receive-file"){ 177 | $check = $null 178 | $SslStream.Write($sendback, 0, $sendback.Length) 179 | $SslStream.Flush() 180 | 181 | $Read = $SslStream.Read($Receivebuffer, 0, $Receivebuffer.Length) 182 | if( $Read -eq 0){break} 183 | else{ 184 | [Array]$Bytesreceived = $Receivebuffer[0..($Read -1)] 185 | [Array]::Clear($Receivebuffer, 0, $Read) 186 | } 187 | $check = $EncodingType.GetString($Bytesreceived).TrimEnd("`r") 188 | if ($check -match "Exception"){ 189 | write-warning $check 190 | } 191 | else{ 192 | try {Invoke-command -ScriptBlock $Scriptblock} 193 | catch {Write-Warning $_.Exception.Message} 194 | } 195 | invoke-space 196 | } 197 | else { 198 | $SslStream.Write($sendback, 0, $sendback.Length) 199 | $SslStream.Flush() 200 | } 201 | } 202 | } 203 | } 204 | catch{ Write-Warning "`n[!!!]TCP connection is broken, exiting.."} 205 | 206 | try{ 207 | if ($PSVersionTable.CLRVersion.Major -lt 4) { $Tcpclient.Close(); $SslStream.Close()} 208 | else {$SslStream.Dispose(); $Tcpclient.Dispose()} 209 | Write-host "`n[**] TCPClient Connected: $($Tcpclient.Connected)" -ForegroundColor Cyan 210 | Write-host "[**] SSLStream was closed/disposed gracefully..`n" -ForegroundColor Cyan 211 | } 212 | catch { Write-Warning "[!!!]Failed to close TCP Stream"} 213 | } 214 | -------------------------------------------------------------------------------- /SSL_PowerListener.ps1: -------------------------------------------------------------------------------- 1 | function Power-listener 2 | { 3 | [CmdletBinding()] 4 | Param ( 5 | [Parameter()] 6 | [Alias('p')] 7 | [int]$port 8 | ) 9 | 10 | function receive-file 11 | { 12 | [CmdletBinding()] 13 | Param ( 14 | [Parameter()] 15 | [string]$local, 16 | 17 | [Parameter()] 18 | [string]$remote 19 | ) 20 | 21 | $FileStream = New-Object IO.FileStream @($remote,[IO.FileMode]::Open) 22 | 23 | $destination = ("\\" + $remoteclient + "\" + $local) 24 | 25 | Write-verbose ("Attempting to send " + $remote + " to " + $destination) 26 | Write-Verbose "[***] Local file exists.." 27 | Write-Verbose "[***] sending file.." 28 | 29 | $sendback = $EncodingType.GetBytes("file exists") 30 | $SslStream.Write($sendback, 0, $sendback.Length) 31 | $SslStream.Flush() 32 | 33 | if ($BytesLeft = $FileStream.Length) { 34 | 35 | $FileOffset = 0 36 | if ($BytesLeft -gt 4608) { # Max packet size for Ncat 37 | 38 | $BytesToSend = New-Object Byte[] 4608 39 | 40 | while ($BytesLeft -gt 4608) { 41 | [void]$FileStream.Seek($FileOffset, [IO.SeekOrigin]::Begin) 42 | [void]$FileStream.Read($BytesToSend, 0, 4608) 43 | 44 | $FileOffset += 4608 45 | $BytesLeft -= 4608 46 | $SslStream.Write($BytesToSend, 0, $BytesToSend.Length) 47 | } 48 | 49 | # Send last packet 50 | $BytesToSend = New-Object Byte[] $BytesLeft 51 | [void]$FileStream.Seek($FileOffset, [IO.SeekOrigin]::Begin) 52 | [void]$FileStream.Read($BytesToSend, 0, $BytesLeft) 53 | 54 | $SslStream.Write($BytesToSend, 0, $BytesToSend.Length) 55 | } 56 | else { # Only need to send one packet 57 | $BytesToSend = New-Object Byte[] $BytesLeft 58 | [void]$FileStream.Seek($FileOffset, [IO.SeekOrigin]::Begin) 59 | [void]$FileStream.Read($BytesToSend, 0, $BytesLeft) 60 | 61 | $SslStream.Write($BytesToSend, 0, $BytesToSend.Length) 62 | } 63 | write-verbose "[***] Done sending bytes.." 64 | $FileStream.Flush() 65 | $FileStream.close() 66 | $FileStream.Dispose() 67 | 68 | Write-Verbose ("`nFile " + $remote + " was sent successfully to " + $destination) 69 | } 70 | } 71 | 72 | function send-file 73 | { 74 | [CmdletBinding()] 75 | Param ( 76 | [Parameter()] 77 | [string]$local, 78 | 79 | [Parameter()] 80 | [string]$remote 81 | ) 82 | 83 | if (Test-Path $Remote){remove-item $Remote -Force} 84 | else {write-verbose "Local file does not exist. Creating a new one..."} 85 | 86 | $FileStream = New-Object IO.FileStream @($Remote,[IO.FileMode]::Append) 87 | $BytesToReceive = New-Object Byte[] 4608 88 | 89 | while ($true) 90 | { 91 | $Fileread = $SslStream.Read($BytesToReceive, 0, $BytesToReceive.Length) 92 | 93 | if($Fileread -eq 0){break} 94 | else{ 95 | [Array]$Filebytesreceived = $BytesToReceive[0..($Fileread -1)] 96 | [Array]::Clear($BytesToReceive, 0, $Fileread) 97 | } 98 | 99 | if ($Fileread -eq 4608) {$FileStream.Write($Filebytesreceived, 0, $Filebytesreceived.Length); continue} 100 | else{ 101 | $FileStream.Write($Filebytesreceived, 0, $Filebytesreceived.Length) 102 | $FileStream.Flush() 103 | $FileStream.Dispose() 104 | break 105 | } 106 | 107 | $FileStream.Flush() 108 | $FileStream.Dispose() 109 | break 110 | } 111 | Write-Verbose "[***] $Remote has been created succesfully" 112 | } 113 | 114 | function invoke-unzip 115 | { 116 | write-verbose "[+++] Unzipping file.." 117 | [string]$RemoteFolderPath = ($env:USERPROFILE + "\") 118 | [int32]$copyOption = 20 119 | $shell = New-Object -ComObject shell.application 120 | $zip = $shell.Namespace($Receivefile) 121 | 122 | foreach($item in $zip.items()){ 123 | $shell.Namespace($RemoteFolderPath).copyhere($item, $copyOption) | Out-Null 124 | } 125 | } 126 | 127 | netsh advfirewall firewall delete rule name="cyclops $port" | Out-Null 128 | netsh advfirewall firewall add rule name="cyclops $port" dir=in action=allow protocol=TCP localport=$port | Out-Null 129 | 130 | $Tcplistener = New-object System.Net.Sockets.TcpListener $port 131 | $Tcplistener.Start() 132 | Write-host "Listening on 0.0.0.0:$port [TCP]" 133 | $TcpClient = $Tcplistener.AcceptTcpClient() 134 | 135 | $remoteclient = $TcpClient.Client.RemoteEndPoint.Address.IPAddressToString 136 | Write-Verbose "[**] New connection coming from: $remoteclient" 137 | 138 | $TcpNetworkstream = $TCPClient.GetStream() 139 | $Receivebuffer = New-Object Byte[] $TcpClient.ReceiveBufferSize 140 | $encodingtype = new-object System.Text.ASCIIEncoding 141 | 142 | $SslStream = New-Object System.Net.Security.SslStream($TcpNetworkStream, $false) 143 | 144 | $Base64Cert = 'MIIJ7gIBAzCCCaoGCSqGSIb3DQEHAaCCCZsEggmXMIIJkzCCBhsGCSqGSIb3DQEH AaCCBgwEggYIMIIGBDCCBgAGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcN AQwBAzAOBAgfuwcLWmzAwAICB9AEggTYmIISFwVwvl5MG8hDW1RG4bd9YCV9CjSy j+yCg0/GjVCORnjyWrqun+IuwQWWfsfzcFR1rafREicw1HlE02U5EVYBhz42Atm2 2lf4luA0bY9Wp6tQOHSh9FCvOUB4tHCbniU9RSpqaWeyrAeXtlV+U/bmhfVgBYct BcxCtBXf06QhEsRsZ5MGlIVYvytJFw7gMxLSZ1V/BAXRVshvHfOiVucSYM+6hj15 i+JptJDBhTKOTIJ/DzXS5wvWvC/YO7aBD79LW4L0Z1TylTjjQzcEnuvwJ4MHKJoo HX/mKWKgx8B670IP3xFxeGgIygfs6S3+izv6qlQOdU8Cc9dpwxy44BZjpZ/6RRrV TaVdq68I26NacB6B0ux0cTN/mkivsad5DFLYyVzrbcLy9pitopK4vBpwNS4gIhsC wgFcncB2gxBBV7W+D9JT7BYCVwNyyPXL5BEHf1cc7qidHnu6Sscy4JVy7UPGeWey gV2ISgS8/oQCgFqFT7f8motAP6rDcJ87ESapamWsZfikbiNXmaxI8q5sXwqI0fxl e0vkJ77c4YSLSM/Q9ZB50dtdsTAGMwCPgtj4u1Eze29ppwbeT+b29ygzq+Ai/o87 tGXFjHsmR550sRPJ9QjCbGng2rJarbD263RbSaCgvwl4Ot8UXafsnUzUZ73GyCHd cF1+F8tPT5L4qmso016/ilYEQgiBjbjY4m8gsXK93J4y/4V/aA+Tfb1EVxyw+Xyd 1DyE3ZSu1pj6u+h+/ICs+YxQoGBrb77kuvQCUdUbBh/6WCOT1+4dzVt9TuOhH3nk xSUXkv61ZNhmXuXqnF/QZ6BhupIMcapuWjnq7kMdg5yVPIEHSYRoAR4Ocm6422qd Z5An5aJizYhgKYpSECk+aImPDZg3H7s9W9xt8KyXU6wKGc/pkSSnxrGpqBd7Z1tP Ycfi+qH6YnV3kgnfgnMCdkdvvLs3Y6oKhyY4kAf7xjpJOcfwDfweO16OHpInbAMw ykEsiG6lJjfCb4t1z28vN+LBaItPeOh4j12Fvm/DThd3xfEPPWANefxT0Hhu0Ya2 pVqKb8tkWmOXn0cNUJ2oZIpXCiqsG2xp/ohQj1vvMUUewdLt6xaqp5CB1Z3HQPQu NoQCeTqWG345+UQlc7D7I9ykvXkEmbrXOu/OZtuldWPadtK/FXJJwnhIEdqy+LTB Bs8wBy3HS4GZZK9XryB7euSvERQSrlc7GLW1EVeQBx3SgH6VQcxXHl4F76Eg+cIB v7wAwII/ZPxyoiVJPLessCeblsE8vWkZGIZYQyTg/TAhmyw4IE3m7pOdjR5izW7Q VmsekKPLFOboDzPlOYqMM+NW1cjxtgz2tlnE8HDhc7WBXHpiYT9Swvwfe8fBWUG2 WT4lSI9AEwdIZWFVY8Y0vuKdA2mC3WUOjGfHDpOhkneIdibvYh077ytwf9Dr55gX 3Ml+4IGhlq0/Ypn173CBdepaiwDiKDt/wDDWHxRet0xNZMkT4FJHJzCanC67OM2l Jp+RvDhIV1wKkUd5UBtUNQkunGa0r2Aba29HqXCNUgeEcKgofQc12ALai1o5lSIy ZsifsJOtTlQJMXykjMa+ThBOqRD8HaG6NqxtmQPOmJsUTH8bhbYAogwL5Exx+kyd DqzFVgdGOzSU8JsDTQG6VTGB7jANBgkrBgEEAYI3EQIxADATBgkqhkiG9w0BCRUx BgQEAQAAADBdBgkqhkiG9w0BCRQxUB5OAHQAcAAtADIAOABjADIAZAA4AGMAYwAt ADMAOQAwAGIALQA0ADUAOABhAC0AYgA0ADUAMwAtADEAYgA3ADgAOABhADAANAA2 ADkAZQA4MGkGCSsGAQQBgjcRATFcHloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMA QQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMA IABQAHIAbwB2AGkAZABlAHIwggNwBgkqhkiG9w0BBwGgggNhBIIDXTCCA1kwggNV BgsqhkiG9w0BDAoBA6CCAw4wggMKBgoqhkiG9w0BCRYBoIIC+gSCAvYwggLyMIIB 2qADAgECAhBS2S+yS8dFrEXGPZ/x+kz4MA0GCSqGSIb3DQEBDQUAMBExDzANBgNV BAMMBldhcmRvZzAeFw0xNjA3MzAyMTMyNDNaFw0xNjEwMjgyMTMyNDNaMBExDzAN BgNVBAMMBldhcmRvZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPcV x7aY/iDxNmgcSJXAXoFOJUC6wcFBJqd6zUeeqzKACaIKK0fZJbW5xQxikIKnm/a+ DdTNsX56Zd4lInyyS4s8il8yvsjCeZA6gJ/oHg7n0FNWxpxMpAXQ/AWPeMiPntmr UYHAVqD8t+ae8FzLxl9U5t3QHnwl3hAO7UGCGNbJYtUW3lSqC5Z+G0avGYQ4SK9F oR4EzGGrjrIXdS2/+ATw2VQkwhFapJPDtEWdJJMJ71AJCMz6NttR0ncyn9FDo3yV aNbiVUnXRHfSEHH1GYXkkXcGlfPZceAy4sv3S560bBsbIeOeZTx9RBHESYy2gx7V E1iJS/vTPs2VkjavtVcCAwEAAaNGMEQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYD VR0OBBYEFLZmz7Eftq4i/xqL/tufmxVgNNLlMA4GA1UdDwEB/wQEAwIFIDANBgkq hkiG9w0BAQ0FAAOCAQEA0vmVBCtSYQBPSyoU1t3yNGzmoj4tOQ9CmRPMn8jdGz8j xKn35sE77wGAzynIJt2twCmximwdUt+rxYIW8LKxUb5z6OKGWSf7tuxMRMRjfRdB W5lPbcHb1j10S3hFRWy0++kght5B/XEFKglogvNc2YAkYWwzisgS5BnTvXK0nnyV /7Xd9YSUewyAhghIKLeJcds6rseiuefQrelguCLK2OLIgMKAPips1MFQQx4MjBnW 1NzugYg7p08RY8pUEkMID0cPnPQ958s76tw8nSnw/IrVtAepkBK57Bh6jLYaEdNp seWaH4sRhMw/zlhcWr7Xe57RrqcQ3j47qXfSnsBtLjE0MBMGCSqGSIb3DQEJFTEG BAQBAAAAMB0GCSqGSIb3DQEJFDEQHg4AVwBhAHIAZABvAGcAADA7MB8wBwYFKw4D AhoEFCX0sAokP3CeLLp1/HkixdAzljBWBBSiDgXP6sPRUfLf/NCz969K5/EEhgIC B9A=' 145 | 146 | $SslFakeCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2([System.Convert]::FromBase64String($Base64Cert),'') 147 | #$SslStream.AuthenticateAsServer($SslFakeCert, $false, [System.Security.Authentication.SslProtocols]::tls, $false) 148 | $SslStream.AuthenticateAsServer($SslFakeCert, $false, [System.Security.Authentication.SslProtocols]::tls12, $false) 149 | 150 | Write-Verbose "SSLStream Encrypted: $($SslStream.IsEncrypted)" 151 | Write-Verbose "SSLStream Signed: $($SslStream.IsSigned)" 152 | 153 | $bytestosend = $encodingtype.GetBytes("`nYou have accessed ["+(hostname)+"] as: "+(whoami)+"`n") 154 | $bytestosend += $encodingtype.GetBytes(("`n["+(hostname)+"] PS " + (Get-Location).Path) +'> ') 155 | 156 | $SslStream.Write($bytestosend, 0, $bytestosend.Length) 157 | 158 | try{ 159 | while ($TCPClient.Connected){ 160 | $Bytesreceived = $null 161 | $Read = $SslStream.Read($Receivebuffer, 0, $Receivebuffer.Length) 162 | if($Read -eq 0){break} 163 | else{ 164 | [Array]$Bytesreceived += $Receivebuffer[0..($Read -1)] 165 | [Array]::Clear($Receivebuffer, 0, $Read) 166 | } 167 | 168 | if ($TcpNetworkstream.DataAvailable) {continue} 169 | else{ 170 | $ScriptBlock = [ScriptBlock]::Create($EncodingType.GetString($Bytesreceived)) 171 | if ($ScriptBlock -match "break") { 172 | $sendback = $encodingtype.GetBytes(("`n[!!!] Closing Connection with ["+(hostname)+"]. Press ENTER to continue..")) 173 | $SslStream.Write($sendback, 0, $sendback.Length) 174 | $SslStream.Flush() 175 | break 176 | } 177 | elseif($ScriptBlock -match "send-file"){ 178 | try { 179 | invoke-command -ScriptBlock $ScriptBlock 180 | $parameters = $null 181 | $parameters = $ScriptBlock -split " " 182 | $SendingFile = ($parameters[2] | Out-String).TrimEnd() 183 | $Receivefile = ($parameters[4] | Out-String).TrimEnd() 184 | 185 | if ($SendingFile -and $Receivefile -match ".zip"){ 186 | [string]$splitzip = $Receivefile -split ".zip" 187 | [string]$leaf = Split-Path $splitzip -leaf 188 | $unzfile = ($env:USERPROFILE + "\" + $leaf) 189 | try { 190 | invoke-unzip 191 | Remove-Item $Receivefile 192 | $ScriptBlock = [scriptblock]::Create("get-item $unzfile") 193 | } 194 | catch {$sendback = $encodingType.GetBytes($_.Exception.Message)} 195 | } 196 | else{ 197 | $ScriptBlock = [scriptblock]::Create("get-item $Receivefile") 198 | } 199 | } 200 | catch {$sendback = $encodingType.GetBytes($_.Exception.Message)} 201 | } 202 | elseif($Scriptblock -match "receive-file"){ 203 | try { 204 | Invoke-command $Scriptblock 205 | continue 206 | } 207 | catch { 208 | Write-verbose $_.Exception.Message 209 | $sendback = $encodingType.GetBytes($_.Exception.Message) 210 | $SslStream.Write($sendback, 0, $sendback.Length) 211 | $SslStream.Flush() 212 | $Bytesreceived = $null 213 | continue 214 | } 215 | } 216 | 217 | $Global:Error.Clear() 218 | 219 | try { 220 | $results = $ScriptBlock.Invoke() | Out-String 221 | $sendback = $encodingtype.GetBytes($results) 222 | } 223 | catch{ 224 | write-verbose "NOT VALID COMMAND" 225 | foreach ($Err in $Global:Error) { 226 | $sendback = $encodingType.GetBytes($Err.Exception.Message) 227 | } 228 | } 229 | 230 | Write-Verbose "results: $results" 231 | 232 | $sendback += $encodingtype.GetBytes(("`n["+(hostname)+"] PS " + (Get-Location).Path) +'> ') 233 | $SslStream.Write($sendback, 0, $sendback.Length) 234 | $SslStream.Flush() 235 | $results = $null 236 | $Bytesreceived = $null 237 | } 238 | } 239 | } 240 | catch {Write-Verbose "[!!!]TCP connection is broken, exiting.."} 241 | 242 | try{ 243 | if ($PSVersionTable.CLRVersion.Major -lt 4) {$Tcpclient.Close(); $SslStream.Close(); $Tcplistener.Stop()} 244 | else {$SslStream.Dispose(); $Tcpclient.Dispose(), $Tcplistener.Stop()} 245 | 246 | Write-Verbose "[**] TCPClient Connected : $($TcpClient.Connected)" 247 | Write-Verbose "[**] TCPListener was stopped gracefully" 248 | Write-Verbose "[**] SSL Stream was closed/disposed gracefully`n" 249 | 250 | netsh advfirewall firewall delete rule name="cyclops $port" | Out-Null 251 | Write-Verbose "[**] FW Rule has been deleted.." 252 | } 253 | catch { Write-Warning "Failed to close TCP Stream"} 254 | } 255 | -------------------------------------------------------------------------------- /computer-icon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3rWard0g/CyberWardogLab/44dd38ee15b06e4fd509d589eb425265faa4326f/computer-icon.ico -------------------------------------------------------------------------------- /computer_color.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3rWard0g/CyberWardogLab/44dd38ee15b06e4fd509d589eb425265faa4326f/computer_color.ico -------------------------------------------------------------------------------- /invoke-vt.ps1: -------------------------------------------------------------------------------- 1 | function invoke-vt 2 | { 3 | <# 4 | .SYNOPSIS 5 | Function which allows a security analyst to query the VT database via its API 6 | .DESCRIPTION 7 | Function which allows a security analyst to query the VT database via its API. One could either provide one IOC or 8 | a text file with several IOCs one per line. You can query for Hash, IP, URL or Domain names. 9 | .PARAMETER Path 10 | Path of a text file or a simple indicator (Text file must have IOCs of the same type) 11 | .PARAMETER apikey 12 | VirusTotal API key 13 | .PARAMETER type 14 | Type of IOC you are providing (url,domain,file or ip) 15 | .EXAMPLE 16 | PS > C:\scripts> invoke-vt -path 'http://138.201.44.4/' -api yourapikey -type url 17 | Malicious IOC 18 | Reference : https://www.virustotal.com/url/d62381a3a639d236648aeed887157ddd8af4166d3ba1761d0ef87fae 19 | dd69c601/analysis/1484889308/ 20 | IOC : http://138.201.44.4/ 21 | Scan Date : 2017-01-20 05:15:08 22 | Hits : 2 23 | .EXAMPLE 24 | PS C:\scripts> invoke-vt -path 14b9d54f07f3facf1240c5ba89aa2410 -apikey yourapikey -type file 25 | Malicious IOC 26 | Reference : https://www.virustotal.com/file/680fca118ba3283b4eb57d187258d2d61e6129cac9304497915ce7d 27 | 3b1fca510/analysis/1484656730/ 28 | IOC : 14b9d54f07f3facf1240c5ba89aa2410 29 | Scan Date : 2017-01-17 12:38:50 30 | Hits : 35 31 | .EXAMPLE 32 | PS C:\scripts> invoke-vt -path C:\IOCs_List.txt -apikey yourapikey -type file 33 | Malicious IOCs found in VT Database 34 | Reference IOC Scan Date Hits 35 | --------- --- --------- ---- 36 | https://www.virustota... 212d3ca8d85b389d35825... 2017-01-20 04:38:01 7 37 | https://www.virustota... 14b9d54f07f3facf1240c... 2017-01-17 12:38:50 35 38 | https://www.virustota... 2b0bd7e43c1f98f9db804... 2017-01-20 17:30:37 3 39 | https://www.virustota... 63698ddbdff5be7d5a7ba... 2017-01-18 22:18:18 39 40 | The results have been exported to a csv file and stored in your Downloads folder 41 | #> 42 | 43 | [CmdletBinding()] 44 | param( 45 | [Parameter(Mandatory = $true)] 46 | [string]$path, 47 | [Parameter(Mandatory = $true)] 48 | [String]$apikey, 49 | [Parameter()] 50 | [string]$type 51 | 52 | ) 53 | 54 | add-type -AssemblyName system.web.extensions 55 | $invokeweb = New-Object system.net.webclient 56 | $ps_js = New-Object system.web.script.serialization.javascriptserializer 57 | 58 | if ($Path -match ".txt") 59 | { 60 | $CsvArray = @() 61 | $date = Get-Date -format _yyyy-MM-dd_HHmms 62 | $content = get-content $Path 63 | foreach ($line in $content) 64 | { 65 | Switch($type) 66 | { 67 | "file" { $result = $invokeweb.uploadstring("https://www.virustotal.com/vtapi/v2/file/report", "resource=$line&apikey=$apikey")} 68 | "ip" { $result = $invokeweb.uploadstring("https://www.virustotal.com/vtapi/v2/ip-address/report", "resource=$line&apikey=$apikey")} 69 | "url" { $result = $invokeweb.uploadstring("https://www.virustotal.com/vtapi/v2/url/report", "resource=$line&apikey=$apikey")} 70 | "domain" {$result = $invokeweb.uploadstring("https://www.virustotal.com/vtapi/v2/domain/report", "resource=$line&apikey=$apikey")} 71 | } 72 | [array]$jsonresults = $ps_js.Deserializeobject($result) 73 | 74 | foreach ($item in $jsonresults) 75 | { 76 | $OTable = new-object -TypeName PSObject -Property @{ 77 | 'IOC' = $item.resource 78 | 'Hits' = $item.positives 79 | 'Scan Date' = $item.scan_date 80 | 'Reference' = $item.permalink 81 | } 82 | if (($item.response_code -eq 1) -and ($item.positives -ne 0)) 83 | { 84 | $CsvArray += $OTable 85 | } 86 | else{ continue } 87 | } 88 | } 89 | if ($CsvArray.count -gt 0) 90 | { 91 | write-host "Malicious IOCs found in VT Database" -BackgroundColor Red 92 | $CsvArray | FT 93 | write-host "`nThe results have been exported to a csv file and stored in your Downloads folder" -ForegroundColor yellow 94 | $CsvArray | export-csv -NoTypeInformation -Encoding Unicode ($env:USERPROFILE + "\Downloads\VTResults_" + $date + ".csv") 95 | } 96 | } 97 | else 98 | { 99 | Switch($type) 100 | { 101 | "file" { $result = $invokeweb.uploadstring("https://www.virustotal.com/vtapi/v2/file/report", "resource=$path&apikey=$apikey")} 102 | "ip" { $result = $invokeweb.uploadstring("https://www.virustotal.com/vtapi/v2/ip-address/report", "resource=$path&apikey=$apikey")} 103 | "url" { $result = $invokeweb.uploadstring("https://www.virustotal.com/vtapi/v2/url/report", "resource=$path&apikey=$apikey")} 104 | "domain" {$result = $invokeweb.uploadstring("https://www.virustotal.com/vtapi/v2/domain/report", "resource=$path&apikey=$apikey")} 105 | } 106 | [array]$jsonresults = $ps_js.Deserializeobject($result) 107 | 108 | foreach ($item in $jsonresults) 109 | { 110 | $OTable = new-object -TypeName PSObject -Property @{ 111 | 'IOC' = $item.resource 112 | 'Hits' = $item.positives 113 | 'Scan Date' = $item.scan_date 114 | 'Reference' = $item.permalink 115 | } 116 | 117 | if ($item.response_code -eq 0) 118 | { 119 | write-host "`nNot found in VT database." -ForegroundColor cyan 120 | } 121 | elseif (($item.response_code -eq 1) -and ($item.positives -ne 0)) 122 | { 123 | Write-host "`nMalicious IOC" -BackgroundColor Red 124 | $OTable | Format-list 125 | } 126 | elseif (($item.response_code -eq 1)) 127 | { 128 | Write-host "`nReported clean" -ForegroundColor Yellow 129 | } 130 | } 131 | } 132 | } 133 | --------------------------------------------------------------------------------